Template is used to define data parsing rules for ES.
Create Logstash custom template
Create a file for specifying templates, which gives you full control over the fields that you want in log events.
> vim /home/osadmin/ELK/logstash-2.3.2/myapp-template.json
{
"template": "myapp-template*",
"settings": {
"index.refresh_interval": "5s"
},
"mappings": {
"logs": {
"properties": {
"@timestamp": {
"type": "date",
"doc_values": true
},
"@version": {
"type": "string",
"index": "not_analyzed",
"doc_values": true
},
"eventSource": {
"type": "string",
"index": "not_analyzed"
},
"host": {
"type": "string",
"index": "not_analyzed"
},
"lineNumber": {
"type": "long"
},
"logLevel": {
"type": "string",
"index": "not_analyzed"
},
"logType": {
"type": "string",
"index": "not_analyzed"
},
"mco": {
"type": "string",
"index": "not_analyzed"
},
"operation": {
"type": "string"
},
"operationLevel": {
"type": "string",
"index": "not_analyzed"
},
"path": {
"type": "string",
"index": "not_analyzed"
},
"result": {
"type": "string"
},
"resultCode": {
"type": "long"
},
"role": {
"type": "string",
"index": "not_analyzed"
},
"service": {
"type": "string",
"index": "not_analyzed"
},
"status": {
"type": "string",
"index": "not_analyzed"
},
"timeConsumed": {
"type": "long"
},
"timestamp": {
"type": "date",
"format": "YYYY-MM-dd HH:mm:ss"
},
"userId": {
"type": "string",
"index": "not_analyzed"
}
}
}
}
}
Use the template
Provide template inside output section of Logstash configuration file.
> cd /home/osadmin/ELK/logstash-2.3.2
> vim myapp-logstash.conf
output {
elasticsearch {
hosts => ["10.170.200.53:9200"]
index => "myapp-logs-%{+YYYY.MM.dd}"
template => "/home/osadmin/ELK/logstash-2.3.2/myapp-template.json"
template_name => "myapp-template"
template_overwrite =>
true
}
stdout { codec => rubydebug }
}
No comments:
Post a Comment
Note: only a member of this blog may post a comment.